The recent fine imposed by the Hellenic Data Protection Authority on PwC for General Data Protection Regulation (GDPR) violations brings to light the need for careful considerations of privacy in employment contracts.
As a lawful basis, consent is the most obvious choice. However, as the PwC case points out, the choice of consent is a weak crutch to lean on. For consent to be a valid, GDPR requires it to be free, specific, informed, and unambiguous. In employment contracts, consent by existing or potential employees is hardly likely to be freely given.
In this case, PwC had requested its employees to sign a “Statement of Acceptance of Terms of Personal Data,” which included clauses requiring staff to give their consent:
- To expressly and unconditionally permit the company to register and use personal information
- To the disclosure of such personal information to third parties in the pursuit of its business interests
- To initiate further monitoring with the use of cameras, etc.
The Hellenic Data Protection Authority raised questions on the compliance with Article 5 (1) (Principles relating to the processing of personal data), which requires lawfulness, fairness, and transparency.
Criteria for the selection of lawfulness of processing – as stated in Article 6 (1) – was also enquired into by the Hellenic Data Protection Authority, which concluded that the lawful basis for processing was incorrectly determined by the consulting company.
The record of processing activity maintained by the controller should include a lawful basis for the processing and justification for the choice of such a lawful basis. The use of consent as a lawful basis must be made after a careful consideration of the facts. In employment contracts, relying only on consent is detrimental to the interests of the employer.
The amount of the fine is not significant, given the size of the organization. What is more important is the message that it communicates – data protection authorities are getting their act together to not only look at the big ticket breaches and exposures, but also compliance with the spirit of GDPR.
Geetha Jayaraman helps organizations leverage their use of technology by managing risks to achieve organizational objectives. She uses her experience to facilitate digital transformation of organizations through the adoption of the right technology solutions. As an expert in cyber security, she has guided many organizations in balancing risk with the adoption of technologies. Prior to her current role in Information Risk Assurance at Capgemini, she worked with several large technology service providers to bridge business objectives with ICT solutions.